Solved

TrueCrype - Finding ballance between usability and security

Posted on 2011-09-13
7
482 Views
Last Modified: 2012-05-12
I have a file server in a location which is a little out of the way. I understand that encrypting the system drive with TrueCRYPT means that authentication happens pre-boot. This would mean that physical access to the server is required after each restart (currently all [software] admin work is done through remote desktop).

My questions are:

a), does encrypting the sys drive increase data security if confidential information is already encrypted on an external drive, and the OS is basically a clean install shell....

b), if sys drive encryption is to be used, is it possible to have automatic encryption authentication? Does this sound a little pointless?!? The user account would still have a password though...

Feedback welcome!

Thanks guys
0
Comment
Question by:mpaert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 250 total points
ID: 36534443
As for encrypting the system drive, keep in mind that Windows does all kind of things all over the place, storing temporary files, swap files, etc on the system drive, so you have no say-so over where confidential information might end up at when being loaded off of the external drive. From that point of view, yes, encrypting the system drive will increase the security of the data.

Not sure what you mean with the encryption authentication though ...
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 36550086
Hi,

Do you have a KVM over IP solution on the server such as ILO or DRAC - would having access to this not enable you to authenticate via that console?

Regards.


RobMobility.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 250 total points
ID: 36554064
First of all: are you open to alternatives?
If your server (what OS?) would be windows server 2008, you could use bitlocker. And IF, yes, if the mainboard supports it, let bitlocker use the TPM chip of the board. This would be a wholedisk encryption without a password and the need for someone to be present at reboots.
"Would that be secure", you might ask. It depends. If someone manages to cold boot attack your server (see http://www.youtube.com/watch?v=JDaicPIgn9U for a demonstration), your data will be lost. Second way to get to your data would be the infamous Firewire hack http://www.youtube.com/watch?v=5N-C5s_07Ts - applicable only if a firewire port is present.
So you see, there are ways in and those are realistic. To have an entire system encrypted AND 100% secure AND handsfree (no password) is NOT possible - period.
------------

What IS possible handsfree is using truecrypt together with a keyfile. Let me explain:
Your file server (windows, I suppose) will have 2 partitions, OS and data. If you don't care about the OSD partition (you should not need to care about the pagefile, because the restricted documents do not get worked on at the server itself), just use Truecrypt to encrypt the data partition using no password but a keyfile (TC offers to do so). Now place that keyfile on a share of a remote server that noone has physical access to but you. Share permissions and NTFS permissions of that keyfile will have to be restricted, too (in our domain, we use the system account: fileserver$)
Next, create a scheduled task on your file server that uses truecrypt.exe scripted (batch script). TC can mount your whole partition using that keyfile totally unattended that way. Afterwards restart the server service with that script, too, to recreate the shares [shares are created at system startup normally - as we have to mount first, we need to use sc.exe to restart the server service afterwards]. Done. This is how our company solved that problem.

Now what would happen if a thief comes and steals the server? The data partition is encrypted, the thief would need the keyfile. Without, he is lost. So his only possibility to get to the data would again be the cold boot attack and firewire BUT this time he would have to perform this attack while the data partition is mounted which means RIGHT AT YOUR COMPANY and not in his cosy hideout with lots of time and planning. Once he turns off the machine, the keyfile is gone.

Two last things:
1 you will need to be aware that this keyfile is really important and keep a backup of it secured somewhere. Best would be to keep it on two server's shares and use the second one if the first one is not available. Remember: both of these servers need to be physically secured.
2 Adjust your file server backup to your new needs.
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 54

Expert Comment

by:McKnife
ID: 36554075
One more thing about the scheduled task that does the mounting: it must be run at system startup (and as I proposed using the account: system which does not need a password to be entered=leave it blank if asked for one).
0
 
LVL 54

Expert Comment

by:McKnife
ID: 36582250
> Feedback welcome!
Same on my side :)
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 37158293
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question